CN101304314B - Methods of encrypting and decrypting data and bus system using the methods - Google Patents

Methods of encrypting and decrypting data and bus system using the methods Download PDF

Info

Publication number
CN101304314B
CN101304314B CN200810081777.XA CN200810081777A CN101304314B CN 101304314 B CN101304314 B CN 101304314B CN 200810081777 A CN200810081777 A CN 200810081777A CN 101304314 B CN101304314 B CN 101304314B
Authority
CN
China
Prior art keywords
data
bus
signal
synchronization signal
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810081777.XA
Other languages
Chinese (zh)
Other versions
CN101304314A (en
Inventor
李衡稷
李在珉
慎峻范
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of CN101304314A publication Critical patent/CN101304314A/en
Application granted granted Critical
Publication of CN101304314B publication Critical patent/CN101304314B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Abstract

提供对数据进行加密和解密的方法以及使用该方法的总线系统。对数据进行加密的方法包括:用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,以对数据进行加密;通过总线将加密的数据发送到预定的模块;将当通过总线发送加密的数据时为逻辑高的同步信号发送到预定的模块。因此,提高加密速度并且加密可简单地得到实现,从而从总线接收的数据的安全可得到改善。

Figure 200810081777

A method for encrypting and decrypting data and a bus system using the method are provided. The method of encrypting data includes: performing an operation on data to be transmitted through the bus with a key stream generated from a predetermined key to encrypt the data; transmitting the encrypted data to a predetermined module through the bus; When the encrypted data is sent on the bus, the synchronous signal which is logic high is sent to the predetermined module. Therefore, the speed of encryption is increased and encryption can be easily realized, so that the security of data received from the bus can be improved.

Figure 200810081777

Description

对数据进行加密和解密的方法和使用该方法的总线系统Method for encrypting and decrypting data and bus system using the method

本申请要求于2007年5月8日提交到韩国知识产权局的第10-2007-0044699号韩国专利申请的优先权,其公开完整地包含于此,以资参考。This application claims priority from Korean Patent Application No. 10-2007-0044699 filed with the Korean Intellectual Property Office on May 8, 2007, the disclosure of which is hereby incorporated by reference in its entirety.

                         技术领域Technical field

根据本发明的方法和总线系统涉及对数据进行加密和解密。The method and bus system according to the invention involve encryption and decryption of data.

                         背景技术 Background technique

根据操作密钥的方法,加密系统可分为公共密钥加密系统和私人密钥加密系统。在公共密钥加密系统中,所有用户都具有可为公众得到的公共密钥和他们自己的私人密钥或秘密密钥。公共密钥用于对文件和私人密钥进行加密,私人密钥用于当个人存储文件时对加密的文件进行解密。另一方面,在私人密钥加密系统中,同时执行加密和解密(解码)。私人密钥加密系统可分为分组密码系统和流密码系统。According to the method of operating the key, the encryption system can be divided into public key encryption system and private key encryption system. In a public key encryption system, all users have a publicly available public key and their own private or secret key. The public key is used to encrypt the file and the private key is used to decrypt the encrypted file when the individual stores the file. On the other hand, in a private key encryption system, encryption and decryption (decoding) are performed simultaneously. Private key encryption systems can be divided into block cipher systems and stream cipher systems.

分组密码系统将给定的纯文本分成具有固定长度(64比特或128比特)的块,以块为单位执行加密。流密码系统对由秘密密钥引起的密钥流和纯文本执行异或(XOR)操作,以生成加密文本,而不是将纯文本分成块。通常,流密码系统快于分组密码系统。A block cipher system divides a given plaintext into blocks with a fixed length (64 bits or 128 bits), and performs encryption in units of blocks. A stream cipher system performs an exclusive OR (XOR) operation on the keystream resulting from a secret key and the plaintext to produce the encrypted text, rather than breaking the plaintext into blocks. In general, stream ciphers are faster than block ciphers.

图1是现有技术的流密码系统的框图。FIG. 1 is a block diagram of a prior art stream cipher system.

参照图1,流密码系统包括中央处理单元(CPU)11、缓存12、存储器控制器13、加密/解密单元14、操作单元15和外部存储器16。Referring to FIG. 1 , the stream cipher system includes a central processing unit (CPU) 11 , a cache 12 , a memory controller 13 , an encryption/decryption unit 14 , an operation unit 15 and an external memory 16 .

首先,描述对从CPU 11发送到总线的数据进行加密的操作。当从CPU 11提出读/写数据的请求时,由于生成的数据是未加密的纯文本数据,需要对该数据进行加密以通过总线发送该数据。当CPU 11请求读/写数据时,加密/解密单元14检测该请求。这里,包括在加密/解密单元14中的密钥流生成单元141与时钟信号同步(即,从时钟信号的上升沿和/或下降沿),并生成与数据的大小相应的密钥流。这里,举例来说,数据的大小可表示为字数,其中,通过字节或输入数据计算行、字、字母数。在操作单元15,分别对彼此同步的密钥流和数据进行XOR操作,从而以字节为单位一对一映射,以对数据进行加密。因此,可通过总线将加密的数据发送到外部。First, the operation of encrypting data sent from the CPU 11 to the bus will be described. When a request for reading/writing data is made from the CPU 11, since the generated data is unencrypted plain text data, it is necessary to encrypt the data to send the data through the bus. When the CPU 11 requests to read/write data, the encryption/decryption unit 14 detects the request. Here, the key stream generation unit 141 included in the encryption/decryption unit 14 is synchronized with a clock signal (ie, from a rising edge and/or a falling edge of the clock signal), and generates a key stream corresponding to the size of data. Here, for example, the size of the data may be represented as word count, wherein the number of lines, words, letters is counted from bytes or input data. In the operation unit 15, an XOR operation is performed on the key stream and data that are synchronized with each other, so as to be mapped one-to-one in units of bytes to encrypt the data. Therefore, encrypted data can be sent to the outside through the bus.

其次,将描述对已被加密并通过总线被发送的数据进行解密以便使CPUNext, decrypting data that has been encrypted and sent over the bus in order to make the CPU

11识别该数据的操作。从外部存储器16通过总线发送的加密的数据通过存储器控制器13和缓存12被发送到CPU 11。然而,CPU 11不能识别加密的数据,因此需要解密处理。当从外部存储器16通过总线发送加密的数据时,加密/解密单元14检测该发送。这里,包括在加密/解密单元14中的密钥流生成单元141与时钟信号同步,并生成密钥流。在操作单元15,分别对彼此同步的密钥流和加密的数据进行XOR操作,从而以字节为单位一对一映射,以对加密的数据进行解密。解密的数据被输入到CPU 11。11 Identify operations on the data. The encrypted data sent from the external memory 16 via the bus is sent to the CPU 11 through the memory controller 13 and the cache memory 12. However, the CPU 11 cannot recognize encrypted data, and thus requires decryption processing. When encrypted data is transmitted from the external memory 16 through the bus, the encryption/decryption unit 14 detects the transmission. Here, the key stream generation unit 141 included in the encryption/decryption unit 14 synchronizes with a clock signal, and generates a key stream. In the operation unit 15, an XOR operation is performed on the key stream synchronized with each other and the encrypted data, respectively, so as to be one-to-one mapped in units of bytes to decrypt the encrypted data. The decrypted data is input to the CPU 11.

这里,包括CPU 11、缓存12、存储器控制器13、加密/解密单元14和操作单元15的区域可被称作受信任区域,除受信任区域外的所有模块,即,外部存储器16,可被称作非信任区域。在非信任区域中通过总线发送的数据可能通过开孔(tapping)被暴露给外部。这里,开孔表示通过总线发送的数据通过其他线被暴露给外部。由于片上系统(SoC)或单芯片的内部被称作受信任区域,因此数据可得到保护。然而,当不同模块附在一个板上时,由于通过板上的总线发送的数据可通过开孔被暴露,因此难以保护在不同模块之间传输的数据。Here, the area including the CPU 11, the cache memory 12, the memory controller 13, the encryption/decryption unit 14, and the operation unit 15 can be referred to as a trusted area, and all modules except the trusted area, that is, the external memory 16, can be Called an untrusted zone. Data sent through the bus in the untrusted area may be exposed to the outside through tapping. Here, the opening means that data sent through the bus is exposed to the outside through other lines. Data is protected because the inside of the system on chip (SoC) or single chip is called a trusted region. However, when different modules are attached to one board, it is difficult to protect data transmitted between different modules since data transmitted through a bus on the board may be exposed through an opening.

                         发明内容Contents of invention

本发明提供一种对数据进行加密的方法,通过该方法,可将数据安全地发送到由总线连接的多个不同的模块的每一个。The present invention provides a method of encrypting data by which data can be securely sent to each of a plurality of different modules connected by a bus.

本发明还提供一种对数据进行解密的方法,通过该方法,可将数据安全地发送到由总线连接的多个不同的模块的每一个。The invention also provides a method of decrypting data by which data can be securely sent to each of a plurality of different modules connected by a bus.

本发明还提供一种总线系统,通过该系统,可将数据安全地发送到由总线连接的多个不同的模块的每一个,并且减少发送加密或解密的数据时性能的下降。The present invention also provides a bus system by which data can be securely transmitted to each of a plurality of different modules connected by the bus, and performance degradation when transmitting encrypted or decrypted data is reduced.

根据本发明一方面,提供一种对数据进行加密的方法,包括:(a)用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,以对数据进行加密;(b)通过总线将加密的数据发送到预定的模块;(c)当通过总线发送加密的数据时,将同步信号发送到预定的模块。According to one aspect of the present invention, there is provided a method of encrypting data, comprising: (a) performing an operation on data to be sent through a bus with a key stream generated from a predetermined key to encrypt the data; (b) ) sending encrypted data to a predetermined module through the bus; (c) sending a synchronization signal to a predetermined module when sending the encrypted data through the bus.

对数据进行加密的方法还可包括:对数据和密钥流执行异或(XOR)操作,以对数据进行加密。The method for encrypting data may further include: performing an exclusive OR (XOR) operation on the data and the key stream to encrypt the data.

对数据进行加密的方法还可包括:基于包括预定的密钥和附加信息的种子生成密钥流,其中,在接收加密的数据的模块中对加密的数据进行解密期间,共同应用种子。The method of encrypting data may further include generating a key stream based on a seed including a predetermined key and additional information, wherein the seed is commonly applied during decryption of the encrypted data in the module receiving the encrypted data.

对数据进行加密的方法还可包括:生成密钥流以与总线的时钟信号同步。The method of encrypting data may further include: generating a key stream to be synchronized with a clock signal of the bus.

对数据进行加密的方法还可包括:使同步信号与总线的时钟信号同步。The method of encrypting data may further include: synchronizing the synchronization signal with a clock signal of the bus.

对数据进行加密的方法还可包括:向至少两个预定的模块广播同步信号。The method of encrypting data may further include: broadcasting a synchronization signal to at least two predetermined modules.

对数据进行加密的方法还可包括:通过所述至少两个预定的模块的多条专用线的每一条发送同步信号。The method of encrypting data may further include: transmitting a synchronization signal through each of the plurality of dedicated lines of the at least two predetermined modules.

对数据进行加密的方法还可包括通过总线的控制器的控制将同步信号发送到总线。The method of encrypting data may further include sending a synchronization signal to the bus through the control of the controller of the bus.

对数据进行加密的方法还可包括:将同步信号发送到多组的至少一组,其中,所述多组包括至少两个预定的模块。The method of encrypting data may further include: transmitting a synchronization signal to at least one of the plurality of groups, wherein the plurality of groups includes at least two predetermined modules.

根据本发明另一方面,提供一种其上记录有执行对数据进行加密的方法的计算机程序的计算机可读记录介质,所述方法包括:(a)用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,以对数据进行加密;(b)通过总线将加密的数据发送到预定的模块;(c)当通过总线发送加密的数据时,将同步信号发送到预定的模块。According to another aspect of the present invention, there is provided a computer-readable recording medium having recorded thereon a computer program for performing a method of encrypting data, the method comprising: (a) using a keystream generated from a predetermined key Perform operations on data to be sent through the bus to encrypt the data; (b) send encrypted data to a predetermined module through the bus; (c) send a synchronization signal to a predetermined module when sending encrypted data through the bus module.

根据本发明另一方面,提供一种对数据进行解密的方法,包括:(a)通过总线从预定的模块接收加密的数据;(b)接收同步信号,其中,当通过总线发送加密的数据时该同步信号为逻辑高;(c)当同步信号是逻辑高时,用从预定的密钥生成的密钥流对加密的数据执行操作。According to another aspect of the present invention, there is provided a method for decrypting data, comprising: (a) receiving encrypted data from a predetermined module through a bus; (b) receiving a synchronization signal, wherein, when sending encrypted data through a bus The synchronization signal is logic high; (c) when the synchronization signal is logic high, performing an operation on the encrypted data using a keystream generated from a predetermined key.

对数据进行解密的方法还可包括:使同步信号与总线的时钟信号同步。The method of decrypting data may further include synchronizing the synchronization signal with a clock signal of the bus.

对数据进行解密的方法还可包括:对加密的数据和密钥流执行异或(XOR)操作,以对加密的数据进行解密。The method of decrypting data may further include: performing an exclusive OR (XOR) operation on the encrypted data and the key stream to decrypt the encrypted data.

根据本发明另一方面,提供一种其上记录有执行对数据进行解密的方法的计算机程序的计算机可读记录介质,所述方法包括:(a)通过总线从预定的模块接收加密的数据;(b)接收同步信号,其中,当通过总线发送加密的数据时该同步信号为逻辑高;(c)当同步信号是逻辑高时,用从预定的密钥生成的密钥流对加密的数据执行操作。According to another aspect of the present invention, there is provided a computer-readable recording medium having recorded thereon a computer program for performing a method of decrypting data, the method comprising: (a) receiving encrypted data from a predetermined module through a bus; (b) receiving a synchronization signal, wherein the synchronization signal is logic high when the encrypted data is sent over the bus; (c) when the synchronization signal is logic high, encrypting the encrypted data with a key stream generated from a predetermined key perform an action.

根据本发明另一方面,提供一种包括至少两个连接到总线的模块的总线系统,其中,每个模块包括模块核心和用于对模块核心与总线进行接口连接的包裹器(wrapper),包裹器对从模块核心生成的第一数据信号进行加密,以通过总线发送第一加密的数据信号,并且当通过总线发送所述第一加密的数据信号时,输出逻辑高的第一同步信号;此外,当第二数据信号通过总线被发送时,包裹器根据逻辑高的第二同步信号对从总线接收的第二数据信号进行解密,并将解密的第二数据信号提供给模块核心。According to another aspect of the present invention, there is provided a bus system comprising at least two modules connected to the bus, wherein each module comprises a module core and a wrapper (wrapper) for interfacing the module core with the bus, the wrapper The device encrypts the first data signal generated from the module core to transmit the first encrypted data signal through the bus, and when transmitting the first encrypted data signal through the bus, outputs a first synchronization signal of logic high; in addition , when the second data signal is sent through the bus, the wrapper decrypts the second data signal received from the bus according to the logic high second synchronization signal, and provides the decrypted second data signal to the module core.

包裹器可包括:流密码发送器,当从模块核心生成第一数据信号时,从预定的密钥生成密钥流;流密码接收器,当从总线接收第二数据信号时,根据第二同步信号生成密钥流。The wrapper may include: a stream cipher transmitter that generates a key stream from a predetermined key when generating a first data signal from the module core; a stream cipher receiver that generates a key stream according to a second synchronization when receiving a second data signal from the bus Signal to generate a keystream.

可从包括预定的密钥和附加信息的种子生成密钥流,并且所述种子可被共同应用于每一个模块。The keystream may be generated from a seed including a predetermined key and additional information, and the seed may be commonly applied to each module.

包裹器还可包括:第一操作单元,对密钥流和第一数据信号执行异或(XOR)操作,以生成第一加密的数据信号;第二操作单元,对密钥流和第二数据信号执行XOR操作,以生成解密的第二数据信号。The wrapper may further include: a first operation unit for performing an exclusive OR (XOR) operation on the key stream and the first data signal to generate a first encrypted data signal; a second operation unit for performing an exclusive OR (XOR) operation on the key stream and the second data signal The signals are XORed to generate a decrypted second data signal.

所述系统还可包括通过所述模块的多条专用线的每一条发送的第一同步信号和第二同步信号。The system may further include a first synchronization signal and a second synchronization signal transmitted through each of the plurality of dedicated lines of the module.

                         附图说明Description of drawings

通过参照附图对本发明示例性实施例进行详细描述,本发明的上述和其他方面将会更清楚,其中:The above and other aspects of the invention will become more apparent by describing in detail exemplary embodiments of the invention with reference to the accompanying drawings, in which:

图1是现有技术的流密码系统的框图;Fig. 1 is the block diagram of the stream cipher system of prior art;

图2是根据本发明示例性实施例的以1:1配置的总线系统的框图;2 is a block diagram of a bus system configured in 1:1 according to an exemplary embodiment of the present invention;

图3是详细示出根据本发明示例性实施例的在总线系统中的数据传输操作的框图;3 is a block diagram illustrating in detail a data transmission operation in a bus system according to an exemplary embodiment of the present invention;

图4是示意地示出根据本发明示例性实施例的包括在总线系统中的包裹器(wrapper)的框图;4 is a block diagram schematically showing a wrapper (wrapper) included in a bus system according to an exemplary embodiment of the present invention;

图5是根据本发明示例性实施例的以N:N配置的总线系统的框图;5 is a block diagram of a bus system configured in N:N according to an exemplary embodiment of the present invention;

图6是详细示出根据本发明示例性实施例的在总线系统中对数据进行加密和解密的方法的框图;6 is a block diagram illustrating in detail a method for encrypting and decrypting data in a bus system according to an exemplary embodiment of the present invention;

图7是示出根据本发明示例性实施例的对数据进行加密的方法的流程图;7 is a flowchart illustrating a method of encrypting data according to an exemplary embodiment of the present invention;

图8是示出根据本发明示例性实施例的对数据进行解密的方法的流程图。FIG. 8 is a flowchart illustrating a method of decrypting data according to an exemplary embodiment of the present invention.

                        具体实施方式 Detailed ways

下面将参照附图更全面地描述示例性实施例,附图中示出了示例性实施例。然而,本发明可以以多种不同的形式来实施,而不应理解为限于这里阐述的示例性实施例;相反,提供这些实施例以使本公开是彻底的和完全的,并将本发明的构思充分地传达给本领域技术人员。在附图中,相同的标号表示相同的部件,为了清晰起见,放大了层和区域的大小和厚度。此外,这里使用的术语是根据本发明的功能定义的。因此,术语可根据用户或操作员和用法而有所不同。也就是说,必须基于这里的描述来理解这里使用的术语。Example embodiments will be described more fully hereinafter with reference to the accompanying drawings, in which example embodiments are shown. However, this invention may be embodied in many different forms and should not be construed as limited to the exemplary embodiments set forth herein; The concept is fully conveyed to those skilled in the art. In the drawings, like reference numerals denote like components, and the size and thickness of layers and regions are exaggerated for clarity. Also, the terms used herein are defined according to the functions of the present invention. Therefore, terminology may vary according to user or operator and usage. That is, the terms used here must be understood based on the descriptions here.

图2是根据本发明实施例的以1:1配置的总线系统的框图。FIG. 2 is a block diagram of a bus system in a 1:1 configuration according to an embodiment of the present invention.

参照图2,根据本发明示例性实施例的以1:1配置的总线系统包括:第一模块核心21、第一包裹器22、第二模块核心23、第二包裹器24和总线25。第一模块核心21和第二模块核心23独立地均可以是中央处理单元(CPU)、外围元件互连(PCI)和通用异步接收器/发送器(UART)中的一个。Referring to FIG. 2 , a bus system in a 1:1 configuration according to an exemplary embodiment of the present invention includes: a first module core 21 , a first wrapper 22 , a second module core 23 , a second wrapper 24 and a bus 25 . Each of the first module core 21 and the second module core 23 independently may be one of a central processing unit (CPU), a peripheral component interconnect (PCI), and a universal asynchronous receiver/transmitter (UART).

第一包裹器22根据总线25的传输规格对第一模块核心21的输出信号进行转换,并监视从总线25接收的控制信号和数据信号,从而对第一模块核心21与总线25进行接口连接。此外,第一包裹器22包括第一流密码发送器(TxSc)221和第一流密码接收器(Rx Sc)222。The first wrapper 22 converts the output signal of the first module core 21 according to the transmission specification of the bus 25 , and monitors the control signal and data signal received from the bus 25 , so as to interface the first module core 21 with the bus 25 . Furthermore, the first wrapper 22 includes a first stream cipher transmitter (TxSc) 221 and a first stream cipher receiver (Rx Sc) 222.

第二包裹器24根据总线25的传输规格对第二模块核心23的输出信号进行转换,并监视从总线25接收的控制信号和数据信号,从而对第二模块核心23与总线25进行接口连接。此外,第二包裹器24包括第二流密码接收器(RxSc)241和第二流密码发送器(Tx Sc)242。The second wrapper 24 converts the output signal of the second module core 23 according to the transmission specification of the bus 25 , and monitors the control signal and data signal received from the bus 25 , so as to interface the second module core 23 with the bus 25 . Furthermore, the second wrapper 24 includes a second stream cipher receiver (RxSc) 241 and a second stream cipher transmitter (Tx Sc) 242.

第一流密码发送器221和第二流密码发送器242对将经由总线25发送的数据进行加密。更具体地说,第一流密码发送器221和第二流密码发送器242从包括预定密钥和附加信息(例如,初始化向量)的种子(seed)生成密钥流,并对生成的密钥流和将经由总线25发送的数据执行操作,从而对数据进行加密。例如,第一流密码发送器221和第二流密码发送器242可对生成的密钥流和将经由总线25发送的数据执行XOR操作,从而对数据进行加密。The first stream cipher transmitter 221 and the second stream cipher transmitter 242 encrypt data to be transmitted via the bus 25 . More specifically, the first stream cipher transmitter 221 and the second stream cipher transmitter 242 generate a key stream from a seed (seed) including a predetermined key and additional information (for example, an initialization vector), and perform an operation on the generated key stream An operation is performed on data to be sent via the bus 25, thereby encrypting the data. For example, the first stream cipher transmitter 221 and the second stream cipher transmitter 242 may perform an XOR operation on the generated key stream and data to be transmitted via the bus 25, thereby encrypting the data.

第一流密码接收器222和第二流密码接收器241对从总线25接收的加密的数据进行解密。更具体地说,第一流密码接收器222和第二流密码接收器241从包括预定密钥和附加信息的种子生成密钥流,并对生成的密钥流和从总线25接收的加密的数据执行操作,从而对数据进行解密。例如,第一流密码接收器222和第二流密码接收器241可对生成的密钥流和从总线25接收的加密的数据执行XOR操作,从而对数据进行解密。The first stream cipher receiver 222 and the second stream cipher receiver 241 decrypt encrypted data received from the bus 25 . More specifically, the first stream cipher receiver 222 and the second stream cipher receiver 241 generate a key stream from a seed including a predetermined key and additional information, and compare the generated key stream and the encrypted data received from the bus 25 Perform an operation to decrypt the data. For example, the first stream cipher receiver 222 and the second stream cipher receiver 241 may perform an XOR operation on the generated key stream and encrypted data received from the bus 25, thereby decrypting the data.

在这种情况下,第一流密码发送器221和第二流密码发送器242以及第一流密码接收器222和第二流密码接收器241可具有共同的种子。更具体地说,当开启电源时,可将相同的种子提供给第一流密码发送器221、第一流密码接收器222、第二流密码接收器241和第二流密码发送器242。因此,第一流密码发送器221、第一流密码接收器222、第二流密码接收器241和第二流密码发送器242可生成相同的密钥流。然而,第一流密码发送器221和第二流密码接收器241对以及第一流密码接收器222和第二流密码发送器242对中的每一对的同步信号使用的密钥流的顺序可被改变。将参照图3对同步信号进行描述。In this case, the first stream cipher transmitter 221 and the second stream cipher transmitter 242 and the first stream cipher receiver 222 and the second stream cipher receiver 241 may have a common seed. More specifically, the same seed may be supplied to the first stream cipher transmitter 221 , the first stream cipher receiver 222 , the second stream cipher receiver 241 and the second stream cipher transmitter 242 when the power is turned on. Therefore, the first stream cipher transmitter 221 , the first stream cipher receiver 222 , the second stream cipher receiver 241 and the second stream cipher transmitter 242 can generate the same key stream. However, the order of key streams used by the synchronization signals of each pair of the first stream cipher transmitter 221 and the second stream cipher receiver 241 pair and the pair of the first stream cipher receiver 222 and the second stream cipher transmitter 242 can be determined by Change. The synchronization signal will be described with reference to FIG. 3 .

第一流密码发送器221、第一流密码接收器222、第二流密码接收器241和第二流密码发送器242中的每一个均可使用Route Coloniale 4(RC4)。RC4是流形式的加密算法,其通过字节操作改变密钥的长度,并支持非常快速的加密速度(与分组加密算法相比)。然而,这只是本发明的一个示例性实施例,第一流密码发送器221、第一流密码接收器222、第二流密码接收器241和第二流密码发送器242可使用其他算法,这对本领域普通技术人员来说是显而易见的。Each of the first stream cipher transmitter 221, the first stream cipher receiver 222, the second stream cipher receiver 241, and the second stream cipher transmitter 242 may use Route Coloniale 4 (RC4). RC4 is an encryption algorithm in stream form, which changes the length of the key through byte operations, and supports very fast encryption speed (compared with block encryption algorithms). However, this is only an exemplary embodiment of the present invention, and the first stream cipher transmitter 221, the first stream cipher receiver 222, the second stream cipher receiver 241 and the second stream cipher transmitter 242 can use other algorithms, which are of great significance to those skilled in the art. It is obvious to those of ordinary skill.

图3是详细示出根据本发明示例性实施例的在总线系统中的数据传输操作的框图。FIG. 3 is a block diagram illustrating in detail a data transmission operation in a bus system according to an exemplary embodiment of the present invention.

参照图3,根据本发明示例性实施例的以1:1配置的总线系统包括:第一模块包裹器31、第二模块包裹器32和总线33。第一模块包裹器31包括流密码发送器(Tx Sc)311,第二模块包裹器32包括流密码接收器(Rx Sc)321。Referring to FIG. 3 , a bus system in a 1:1 configuration according to an exemplary embodiment of the present invention includes a first module wrapper 31 , a second module wrapper 32 and a bus 33 . The first module wrapper 31 includes a stream cipher transmitter (Tx Sc) 311, and the second module wrapper 32 includes a stream cipher receiver (Rx Sc) 321.

当输入数据时,第一模块包裹器31在流密码发送器311中将数据加密成加密的数据E_DATA,并通过总线33将加密的数据E_DATA发送到第二模块包裹器32。当加密的数据E_DATA被第二模块包裹器32接收时,第二模块包裹器32在流密码接收器321中对加密的数据E_DATA进行解密,并将解密的数据提供给连接到第二模块包裹器32的模块(未示出)。When data is input, the first module wrapper 31 encrypts the data into encrypted data E_DATA in the stream cipher transmitter 311 and transmits the encrypted data E_DATA to the second module wrapper 32 through the bus 33 . When the encrypted data E_DATA is received by the second module wrapper 32, the second module wrapper 32 decrypts the encrypted data E_DATA in the stream cipher receiver 321, and provides the decrypted data to the 32 modules (not shown).

在这种情况下,当通过总线33发送加密的数据E_DATA时,第一模块包裹器31生成与总线33的时钟信号(未显示)同步的同步信号。根据加密的数据E_DATA,在逻辑高和逻辑低之间切换同步信号。例如,只有当加密的数据E_DATA被提供给总线时,同步信号可切换为逻辑“高”,当加密的数据E_DATA未被提供给总线时,同步信号可切换为逻辑“低”。In this case, when the encrypted data E_DATA is transmitted through the bus 33 , the first module wrapper 31 generates a synchronization signal synchronized with a clock signal (not shown) of the bus 33 . Depending on the encrypted data E_DATA, the synchronization signal is switched between logic high and logic low. For example, the sync signal may be switched to logic "high" only when encrypted data E_DATA is provided to the bus, and may be switched to logic "low" when encrypted data E_DATA is not provided to the bus.

从第一模块包裹器31生成的同步信号被提供给包括在第二模块包裹器32中的流密码接收器321。在本发明示例性实施例中,同步信号可通过专用线被提供给第二模块包裹器32。由于通过总线33发送的信号应当符合总线规格,因此通过单独的专用线(未显示)而不是总线33发送同步信号,因此不需要改变总线的规格,从而改善了兼容性。在本发明另一示例性实施例中,同步信号可由总线控制器控制以通过总线33被发送。此外,在本发明另一示例性实施例中,通过使用总线33的控制信号,第一模块包裹器31可与第二模块包裹器32同步,而不是生成同步信号。然而,在这种情况下,在这样的配置中实施可能是复杂的。The synchronization signal generated from the first module wrapper 31 is supplied to the stream cipher receiver 321 included in the second module wrapper 32 . In an exemplary embodiment of the present invention, the synchronization signal may be supplied to the second module wrapper 32 through a dedicated line. Since the signal transmitted through the bus 33 should conform to the bus specification, the synchronization signal is transmitted through a separate dedicated line (not shown) instead of the bus 33, so that the specification of the bus does not need to be changed, thereby improving compatibility. In another exemplary embodiment of the present invention, the synchronization signal may be controlled by the bus controller to be sent through the bus 33 . Also, in another exemplary embodiment of the present invention, instead of generating a synchronization signal, the first module wrapper 31 may synchronize with the second module wrapper 32 by using a control signal of the bus 33 . In this case, however, implementation in such a configuration may be complicated.

包括在第二模块包裹器32中的流密码接收器321同时从总线33接收加密的数据E_DATA和从第一模块包裹器31生成的同步信号。流密码接收器321根据该同步信号生成密钥流,并对加密的数据E_DATA和密钥流执行操作,从而对数据进行解密。The stream cipher receiver 321 included in the second module wrapper 32 simultaneously receives the encrypted data E_DATA from the bus 33 and the synchronization signal generated from the first module wrapper 31 . The stream cipher receiver 321 generates a key stream according to the synchronization signal, and performs an operation on the encrypted data E_DATA and the key stream, thereby decrypting the data.

图4是示意地示出根据本发明示例性实施例的包括在总线系统中的包裹器的示例的框图。FIG. 4 is a block diagram schematically showing an example of a wrapper included in a bus system according to an exemplary embodiment of the present invention.

参照图4,包裹器40包括流密码发送器(Tx Sc)41和流密码接收器(RxSc)42。流密码发送器(Tx Sc)41将第一数据信号加密成第一加密的数据信号E_DATA1,并将第一加密的数据信号E_DATA1提供给总线。流密码接收器42对从总线接收的第二加密的数据信号E_DATA2进行解密。Referring to FIG. 4 , the wrapper 40 includes a stream cipher transmitter (Tx Sc) 41 and a stream cipher receiver (RxSc) 42. The stream cipher transmitter (Tx Sc) 41 encrypts the first data signal into a first encrypted data signal E_DATA1, and provides the first encrypted data signal E_DATA1 to the bus. The stream cipher receiver 42 decrypts the second encrypted data signal E_DATA2 received from the bus.

包裹器40通过单独的专用线(而不是总线)将根据第一加密的数据信号E_DATA1在逻辑高和逻辑低之间切换的第一同步信号发送到另一模块。此外,包裹器40通过单独的专用线(而不是总线)从另一模块接收根据第二加密的数据信号E_DATA2在逻辑高和逻辑低之间切换的第二同步信号。换句话说,包裹器40可具有除总线之外的两条独立的专用线。当多个不同模块的每一个以1:1的配置连接时,包裹器40可具有两条专用线,当每一个不同的模块以1:N的配置连接时,包裹器40可具有2N条专用线。这里,N是大于1的自然数。The wrapper 40 sends the first synchronization signal switching between logic high and logic low according to the first encrypted data signal E_DATA1 to another module through a separate dedicated line instead of a bus. Furthermore, the wrapper 40 receives a second synchronization signal switching between logic high and logic low according to the second encrypted data signal E_DATA2 from another module through a separate dedicated line (instead of a bus). In other words, wrapper 40 may have two separate dedicated lines in addition to the bus. When multiple different modules are each connected in a 1:1 configuration, the wrapper 40 can have two dedicated lines, and when each of the different modules is connected in a 1:N configuration, the wrapper 40 can have 2N dedicated lines Wire. Here, N is a natural number greater than 1.

图5是根据本发明示例性实施例的以N:N配置的总线系统的框图。FIG. 5 is a block diagram of a bus system in an N:N configuration according to an exemplary embodiment of the present invention.

参照图5,根据本发明示例性实施例的以N:N配置的总线系统包括:CPU51、PCI 53、UART 55和总线59。此外,以N:N配置的总线系统还可包括其他模块57。这里,CPU 51、PCI 53和UART 55只是连接到总线59的模块的示例,并且可以是其他模块或将来开发的任何模块。With reference to Fig. 5, the bus system with N:N configuration according to the exemplary embodiment of the present invention includes: CPU51, PCI 53, UART 55 and bus 59. Furthermore, the bus system configured in N:N may also include further modules 57 . Here, the CPU 51, PCI 53, and UART 55 are just examples of modules connected to the bus 59, and may be other modules or any modules developed in the future.

CPU 51是计算机系统的核心装置,控制诸如解释指令、操作数据和比较的处理,并还包括CPU包裹器52以与总线59进行接口连接。CPU包裹器52可包括第一流密码发送器521和第一流密码接收器522。The CPU 51 is the core device of the computer system, controls processing such as interpreting instructions, manipulating data, and comparing, and also includes a CPU wrapper 52 to interface with a bus 59. The CPU wrapper 52 may include a first stream cipher transmitter 521 and a first stream cipher receiver 522 .

PCI 53是插入扩展插槽中的装置中的互连系统,所述扩充插槽被布置在靠近微处理器的地方以进行高速操作,PCI 53还包括PCI包裹器54以与总线59进行接口连接。PCI包裹器54可包括第二流密码发送器541和第二流密码接收器542。PCI 53 is an interconnection system in a device that plugs into an expansion slot that is placed close to the microprocessor for high-speed operation, PCI 53 also includes a PCI wrapper 54 to interface with a bus 59 . The PCI wrapper 54 may include a second stream cipher transmitter 541 and a second stream cipher receiver 542 .

UART 55是处理计算机的异步串行通信的模块,它通常采取微芯片的形式,并还包括UART包裹器56以与总线59进行接口连接。UART包裹器56还可包括第三流密码发送器561和第三流密码接收器562。The UART 55 is the module that handles the computer's asynchronous serial communications, usually in the form of a microchip, and also includes a UART wrapper 56 to interface with the bus 59. The UART wrapper 56 may also include a third stream cipher transmitter 561 and a third stream cipher receiver 562 .

其他模块57可以是将来开发的模块,并还包括包裹器58以与总线59进行接口连接。包裹器58可包括第四流密码发送器581和第四流密码接收器582。Other modules 57 may be modules developed in the future and also include wrapper 58 to interface with bus 59 . The wrapper 58 may include a fourth stream cipher transmitter 581 and a fourth stream cipher receiver 582 .

由于图5的总线系统包括四个模块,因此N是4,图5的总线系统是以4:4配置。这里,当独立地对流密码发送器和流密码接收器的每一个进行操作时,总线系统的模块可以是4×3对(即,N×(N-1)),需要2×4×3(即,2×N×(N-1))个流密码发送器/接收器,因此总线系统的配置可能是复杂的。Since the bus system in FIG. 5 includes four modules, N is 4, and the bus system in FIG. 5 is configured in 4:4. Here, when independently operating each of the stream cipher transmitter and the stream cipher receiver, the modules of the bus system can be 4×3 pairs (ie, N×(N-1)), requiring 2×4×3 ( That is, 2×N×(N−1)) stream cipher transmitters/receivers, so the configuration of the bus system may be complicated.

然而,在本发明示例性实施例中,流密码发送器/接收器共享共同的种子,因而可只用2×4(即,2×N)个流密码发送器/接收器执行加密和解密。如上所述,由于这里的种子包括预定的密钥和附加信息(例如,初始化向量IV),所以流密码发送器/接收器基于该种子生成密钥流。也就是说,第一至第四流密码发送器521、541、561和581以及第一至第四流密码接收器522、542、562和582共享共同的种子,因此,可通过只使用8个单元简单地实现以N:N配置的总线系统。However, in an exemplary embodiment of the present invention, stream cipher transmitters/receivers share a common seed, and thus encryption and decryption can be performed with only 2×4 (ie, 2×N) stream cipher transmitters/receivers. As described above, since the seed here includes a predetermined key and additional information (for example, an initialization vector IV), the stream cipher transmitter/receiver generates a key stream based on the seed. That is, the first to fourth stream cipher transmitters 521, 541, 561, and 581 and the first to fourth stream cipher receivers 522, 542, 562, and 582 share a common seed, and therefore, can be obtained by using only 8 The unit simply implements a bus system in an N:N configuration.

在这种情况下,一个模块可向所有模块广播同步信号。例如,CPU包裹器52可广播同步信号以使该同步信号被发送到PCI包裹器54、UART包裹器56和包裹器58。然而,这只是本发明的一个例子,多个模块可分为至少两组,同步信号可被发送到所述至少两组中的至少一组。例如,由于PCI 53和UART 55被称为第一组,其他模块被称为第二组,因此CPU包裹器52可只将同步信号发送到PCI包裹器54和包括在第一组中的UART包裹器56。In this case, one module can broadcast a sync signal to all modules. For example, CPU wrapper 52 may broadcast a synchronization signal such that the synchronization signal is sent to PCI wrapper 54 , UART wrapper 56 , and wrapper 58 . However, this is only an example of the present invention, the plurality of modules may be divided into at least two groups, and the synchronization signal may be sent to at least one of the at least two groups. For example, since the PCI 53 and UART 55 are referred to as the first group and the other modules are referred to as the second group, the CPU wrapper 52 may only send synchronization signals to the PCI wrapper 54 and the UART wrappers included in the first group Device 56.

在本发明示例性实施例中,同步信号可以是1比特信号。由于图5的总线系统包括4个模块,因此存在2×4(即,2×N)个流密码发送器和接收器;然而,需要4×3(即,N×(N-1))个同步信号。因此,通常生成4×3(即,N×(N-1))比特的开销(overhead)比特。In an exemplary embodiment of the present invention, the synchronization signal may be a 1-bit signal. Since the bus system of FIG. 5 includes 4 modules, there are 2×4 (i.e., 2×N) stream cipher transmitters and receivers; however, 4×3 (i.e., N×(N−1)) are required synchronization signal. Therefore, typically 4x3 (ie, Nx(N-1)) bits of overhead bits are generated.

图6是详细示出根据本发明示例性实施例的在总线系统中对数据进行加密和解密的方法的框图。FIG. 6 is a block diagram illustrating in detail a method of encrypting and decrypting data in a bus system according to an exemplary embodiment of the present invention.

参照图6,根据本发明示例性实施例的总线系统包括模块核心61和包裹器62。包裹器62包括流密码发送器(Tx Sc)621和流密码接收器(Rx Sc)622。此外,包裹器62还可包括第一操作单元623和第二操作单元634。Referring to FIG. 6 , a bus system according to an exemplary embodiment of the present invention includes a module core 61 and a wrapper 62 . The wrapper 62 includes a stream cipher transmitter (Tx Sc) 621 and a stream cipher receiver (Rx Sc) 622. In addition, the wrapper 62 may further include a first operating unit 623 and a second operating unit 634 .

模块核心61可以是诸如CPU或PCI的任何模块。模块核心61可请求读/写数据,并且被请求读/写的数据是没有加密的纯文本数据PD。从模块核心61生成的数据应当通过总线被发送到目标模块;然而,该数据可从总线被暴露给外部。因此,纯文本数据PD被加密为密文数据CD以通过总线发送。The module core 61 may be any module such as CPU or PCI. The module core 61 can request to read/write data, and the data requested to be read/written is plain text data PD without encryption. Data generated from the module core 61 should be sent to the target module through the bus; however, the data may be exposed to the outside from the bus. Therefore, plaintext data PD is encrypted into ciphertext data CD to be sent via the bus.

以下,将通过将包裹器62的操作分成加密操作和解密操作来对该操作进行描述。Hereinafter, the operation of the wrapper 62 will be described by dividing it into an encryption operation and a decryption operation.

首先,在加密期间,包裹器62检测从模块核心61输入的纯文本数据PD1,包括在包裹器62中的流密码发送器621生成将与总线的时钟信号同步的密钥流。如上所述,流密码发送器621从包括预定的密钥和附加信息的种子生成密钥流。这里,生成的密钥流可以是随机数,并可以以不同的方式被改变。First, during encryption, the wrapper 62 detects the plain text data PD1 input from the module core 61, and the stream cipher transmitter 621 included in the wrapper 62 generates a key stream to be synchronized with the clock signal of the bus. As described above, the stream cipher transmitter 621 generates a key stream from a seed including a predetermined key and additional information. Here, the generated key stream can be a random number and can be changed in different ways.

包括在包裹器62中的第一操作单元623对生成的密钥流和纯文本数据PD1执行操作以生成加密的数据,即,密文数据CD1。这里,在本发明示例性实施例中,第一操作单元623可对生成的密钥流和纯文本数据PD1执行操作以生成密文数据CD1。The first operation unit 623 included in the wrapper 62 performs an operation on the generated key stream and the plaintext data PD1 to generate encrypted data, that is, ciphertext data CD1. Here, in an exemplary embodiment of the present invention, the first operation unit 623 may perform an operation on the generated key stream and plain text data PD1 to generate cipher text data CD1.

包裹器62在通过总线发送密文数据CD1的同时生成同步信号,当通过总线发送密文数据CD1时,该同步信号是逻辑“高”。换句话说,同步信号根据该密文数据CD1在逻辑高和逻辑低之间切换,并且应当与总线的时钟信号同步。这里,当总线中的数据帧由于延迟而在帧的中间被截断时,同步信号被切换到逻辑“低”,当数据再次被发送时,同步信号也被切换到逻辑“高”。因此,可生成与由目标模块的流密码接收器接收的密文数据CD1精确同步的密钥流。在另一示例性实施例中,包裹器62可将同步信号发送到其他模块。在这种情况下,包裹器62可广播同步信号或将模块分成多组以将同步信号发送到一些组。The wrapper 62 generates a synchronization signal which is logic "high" when the ciphertext data CD1 is transmitted through the bus while transmitting the ciphertext data CD1 through the bus. In other words, the synchronization signal switches between logic high and logic low according to the ciphertext data CD1, and should be synchronized with the clock signal of the bus. Here, the sync signal is switched to logic “low” when the frame of data in the bus is truncated in the middle of the frame due to delay, and also switched to logic “high” when the data is sent again. Therefore, it is possible to generate a key stream that is precisely synchronized with the ciphertext data CD1 received by the stream cipher receiver of the target module. In another exemplary embodiment, wrapper 62 may send synchronization signals to other modules. In this case, the wrapper 62 may broadcast the synchronization signal or divide the modules into groups to send the synchronization signal to some groups.

其次,在解密期间,包裹器62检测从总线接收的加密的数据,即,密文数据CD2。此外,包括在包裹器62中的流密码接收器622接收同步信号,并根据该同步信号生成密钥流。在这种情况下,作为生成密钥流的基础的种子与流密码发送器621和其他模块的流密码发送器/接收器的种子相同。同步信号由生成密文数据CD2的模块提供,并根据该密文数据CD2在逻辑高和逻辑低之间切换。在本发明另一示例性实施例中,包裹器62可从其他模块接收该同步信号。Next, during decryption, the wrapper 62 detects the encrypted data received from the bus, ie, the ciphertext data CD2. Furthermore, the stream cipher receiver 622 included in the wrapper 62 receives the synchronization signal, and generates a key stream based on the synchronization signal. In this case, the seed on which the key stream is generated is the same as the stream cipher transmitter/receiver of the stream cipher transmitter 621 and other modules. The synchronization signal is provided by the module that generates the ciphertext data CD2, and switches between logic high and logic low according to the ciphertext data CD2. In another exemplary embodiment of the present invention, wrapper 62 may receive the synchronization signal from other modules.

包括在包裹器62中的流密码接收器622对生成的密钥流和密文数据CD2执行操作,并生成解密的密文数据CD2(即,纯文本数据)作为结果。这里,在本发明示例性实施例中,流密码接收器622可对生成的密钥流和密文数据CD2执行XOR操作,并生成纯文本数据PD2。The stream cipher receiver 622 included in the wrapper 62 performs an operation on the generated key stream and ciphertext data CD2, and generates decrypted ciphertext data CD2 (ie, plaintext data) as a result. Here, in an exemplary embodiment of the present invention, the stream cipher receiver 622 may perform an XOR operation on the generated key stream and the ciphertext data CD2, and generate the plaintext data PD2.

图7是示出根据本发明示例性实施例的对数据进行加密的方法的流程图。FIG. 7 is a flowchart illustrating a method of encrypting data according to an exemplary embodiment of the present invention.

参照图7,根据本发明示例性实施例的对数据进行加密的方法包括在图6的总线系统中执行的时间序列操作。因此,即使下面省略了任何描述,对图6的总线系统的描述也可适用于根据图7所示的本发明示例性实施例的加密方法。Referring to FIG. 7 , a method of encrypting data according to an exemplary embodiment of the present invention includes time-series operations performed in the bus system of FIG. 6 . Therefore, even if any description is omitted below, the description of the bus system of FIG. 6 is applicable to the encryption method according to the exemplary embodiment of the present invention shown in FIG. 7 .

参照图7,在操作71,当在发送数据的模块中生成数据时,连接到该模块的包裹器用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,从而对数据进行加密。在本发明示例性实施例中,可对将通过总线发送的数据和密钥流执行XOR操作,以对数据进行加密。这里,基于包括预定的密钥和附加信息的种子生成密钥流,该密钥流可与总线的时钟信号同步。这里,附加信息可表示为初始化向量。Referring to FIG. 7, in operation 71, when data is generated in a module that transmits data, a wrapper connected to the module performs an operation on the data to be transmitted through the bus using a key stream generated from a predetermined key, thereby performing an operation on the data. encryption. In an exemplary embodiment of the present invention, an XOR operation may be performed on data to be transmitted through the bus and a key stream to encrypt the data. Here, a key stream is generated based on a seed including a predetermined key and additional information, and the key stream may be synchronized with a clock signal of the bus. Here, the additional information may be expressed as an initialization vector.

在操作72,包裹器通过总线将加密的数据发送到预定的模块。在本发明示例性实施例中,可存在至少两个预定模块。In operation 72, the wrapper sends the encrypted data to the predetermined module through the bus. In an exemplary embodiment of the present invention, there may be at least two predetermined modules.

在操作73,当通过总线发送加密的数据时,逻辑高的同步信号被发送到预定的模块。这里,同步信号可与总线的时钟信号同步。在本发明示例性实施例中,可存在至少两个预定模块,并且同步信号可被广播。这里,可通过至少两个模块的各条专用线发送同步信号,或可通过总线的控制器的控制来发送同步信号。在本发明另一示例性实施例中,可存在至少两个预定模块,该至少两个预定模块可被分成多组,并且同步信号可被发送到至少一组。In operation 73, when the encrypted data is transmitted through the bus, a synchronization signal of logic high is transmitted to a predetermined module. Here, the synchronization signal may be synchronized with the clock signal of the bus. In an exemplary embodiment of the present invention, there may be at least two predetermined modules, and a synchronization signal may be broadcasted. Here, the synchronization signal may be transmitted through respective dedicated lines of at least two modules, or may be transmitted through the control of the controller of the bus. In another exemplary embodiment of the present invention, there may be at least two predetermined modules, the at least two predetermined modules may be divided into groups, and a synchronization signal may be transmitted to at least one group.

图8是示出根据本发明示例性实施例的对数据进行解密的方法的流程图。FIG. 8 is a flowchart illustrating a method of decrypting data according to an exemplary embodiment of the present invention.

参照图8,根据本发明示例性实施例的对数据进行解密的方法包括在图6的总线系统中执行的时间序列操作。因此,即使下面省略了任何描述,对图6的总线系统的描述也可适用于根据图8所示的本发明当前示例性实施例的解密方法。Referring to FIG. 8 , a method of decrypting data according to an exemplary embodiment of the present invention includes time-series operations performed in the bus system of FIG. 6 . Therefore, even if any description is omitted below, the description of the bus system of FIG. 6 is applicable to the decryption method according to the current exemplary embodiment of the present invention shown in FIG. 8 .

参照图8,在操作81,连接到接收数据的模块的包裹器通过总线从预定的模块接收加密的数据。Referring to FIG. 8, in operation 81, a wrapper connected to a module receiving data receives encrypted data from a predetermined module through a bus.

在操作82,当通过总线发送加密的数据时,包裹器接收逻辑高的同步信号。这里,同步信号可以与总线的时钟信号同步。At operation 82, the wrapper receives a logic high sync signal when the encrypted data is sent over the bus. Here, the synchronization signal may be synchronized with the clock signal of the bus.

在操作83,当同步信号是逻辑高时,包裹器用从预定的密钥生成的密钥流对加密的数据执行操作,从而对数据进行解密。在本发明的实施例中,可对密钥流和加密的数据执行XOR操作,以对加密的数据进行解密。In operation 83, when the synchronization signal is logic high, the wrapper performs an operation on the encrypted data using a key stream generated from a predetermined key, thereby decrypting the data. In an embodiment of the present invention, an XOR operation may be performed on the key stream and the encrypted data to decrypt the encrypted data.

本发明不限于上文所述的示例性实施例,本领域普通技术人员可进行适当修改。The present invention is not limited to the exemplary embodiments described above, and those skilled in the art can make appropriate modifications.

本发明也可实现为计算机可读记录介质上的计算机可读代码。所述计算机可读记录介质为任何可存储其后能由计算机系统读取的数据的数据存储装置。所述计算机可读记录介质的例子包括:只读存储器(ROM)、随机存取存储器(RAM)、CD-ROM、磁带、硬盘、软盘、闪存、光学数据存储装置、和载波(如通过互联网的数据传输)。所述计算机可读记录介质也可分布于联网的计算机系统上,以便所述计算机可读代码以分布方式被存储并被执行。The present invention can also be embodied as computer readable codes on a computer readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer-readable recording medium include: read-only memory (ROM), random-access memory (RAM), CD-ROM, magnetic tape, hard disk, floppy disk, flash memory, optical data storage device, and carrier wave (such as via the Internet) data transmission). The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

根据本发明,用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,以对数据进行加密,并且通过总线将加密的数据发送到预定的模块。此外,同步信号被提供给预定的模块,以参考同步信号对数据进行解密,其中,当通过总线发送加密的数据时该同步信号为逻辑高。因此,通过总线发送的数据的安全可得到改善。According to the present invention, an operation is performed on data to be transmitted through a bus with a key stream generated from a predetermined key to encrypt the data, and the encrypted data is transmitted to a predetermined module through the bus. In addition, a synchronization signal is provided to a predetermined module to decrypt data with reference to the synchronization signal, which is logic high when the encrypted data is transmitted through the bus. Therefore, the security of data sent over the bus can be improved.

此外,根据本发明,当电源开启时,同步信号被广播并且共同的种子被共享,因此可减少流密码发送器/接收器的数量,从而实现简单的总线系统。此外,即使当新的模块附到受信任区域的外部时,可保持安全性,因此总线可容易地扩展系统。因此,当至少一个单独的模块安装在芯片的外部时,当各种模块安装在板上时,当专用线被使用时,以及当在开放的总线系统时,根据本发明的对数据进行加密和解密的方法可被有效使用。Furthermore, according to the present invention, when the power is turned on, a synchronization signal is broadcasted and a common seed is shared, so the number of stream cipher transmitters/receivers can be reduced, thereby realizing a simple bus system. Furthermore, security can be maintained even when a new module is attached outside the trusted area, so the bus can easily expand the system. Therefore, when at least one individual module is mounted on the outside of the chip, when various modules are mounted on the board, when dedicated lines are used, and when in an open bus system, data encryption and The method of decryption can be effectively used.

尽管参照本发明示例性实施例具体表示和描述了本发明,但本领域的普通技术人员应该理解,在不脱离由权利要求限定的本发明的精神和范围的情况下,可以在形式和细节上进行各种改变。While the invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that changes in form and details may be made without departing from the spirit and scope of the invention as defined by the claims. Make various changes.

Claims (16)

1.一种对数据进行加密的方法,所述方法包括:1. A method of encrypting data, said method comprising: (a)用从预定的密钥生成的密钥流对将通过总线发送的数据执行操作,以对数据进行加密;(a) performing an operation on data to be sent over the bus with a key stream generated from a predetermined key to encrypt the data; (b)通过总线将加密的数据发送到预定的模块;(b) Send the encrypted data to the predetermined module through the bus; (c)当通过总线将加密的数据发送到预定的模块时,发送切换为逻辑高的同步信号,(c) when the encrypted data is sent to the predetermined module through the bus, send a synchronization signal switched to logic high, 其中,在步骤(c),向至少两个预定的模块广播同步信号。Wherein, in step (c), the synchronization signal is broadcast to at least two predetermined modules. 2.如权利要求1所述的方法,其中,对数据和密钥流执行异或操作,以对数据进行加密。2. The method of claim 1, wherein the data is encrypted by performing an XOR operation on the data and the key stream. 3.如权利要求2所述的方法,其中,基于包括预定的密钥和附加信息的种子生成密钥流,其中,在接收加密的数据的模块中对加密的数据进行解密期间,共同应用种子。3. The method of claim 2, wherein the keystream is generated based on a seed comprising a predetermined key and additional information, wherein the seed is commonly applied during decryption of the encrypted data in the module receiving the encrypted data . 4.如权利要求2所述的方法,其中,生成密钥流以与总线的时钟信号同步。4. The method of claim 2, wherein the key stream is generated to be synchronized with a clock signal of the bus. 5.如权利要求1所述的方法,其中,同步信号与总线的时钟信号同步。5. The method of claim 1, wherein the synchronization signal is synchronized with a clock signal of the bus. 6.如权利要求1所述的方法,其中,在步骤(c),通过所述至少两个预定的模块的多条专用线的每一条发送同步信号。6. The method of claim 1, wherein in step (c), a synchronization signal is transmitted through each of the plurality of dedicated lines of the at least two predetermined modules. 7.如权利要求1所述的方法,其中,在步骤(c),通过总线的控制器将同步信号发送到总线。7. The method of claim 1, wherein in step (c), the synchronization signal is sent to the bus by a controller of the bus. 8.如权利要求5所述的方法,其中,所述至少两个预定的模块被分成多组,同步信号被发送到至少一组。8. The method of claim 5, wherein the at least two predetermined modules are divided into groups, and the synchronization signal is transmitted to at least one group. 9.一种对数据进行解密的方法,包括:9. A method of decrypting data comprising: (a)通过总线从加密模块接收加密的数据;(a) receiving encrypted data from the encryption module via the bus; (b)接收当通过总线发送加密的数据时为逻辑高的同步信号;(b) receiving a sync signal that is logic high when encrypted data is sent over the bus; (c)当同步信号是逻辑高时,用从预定的密钥生成的密钥流对加密的数据执行操作,(c) when the sync signal is logic high, perform an operation on the encrypted data using the keystream generated from the predetermined key, 其中,在步骤(b),同步信号被加密模块广播到至少两个预定的模块。Wherein, in step (b), the synchronization signal is broadcast to at least two predetermined modules by the encryption module. 10.如权利要求9所述的方法,其中,同步信号与总线的时钟信号同步。10. The method of claim 9, wherein the synchronization signal is synchronized with a clock signal of the bus. 11.如权利要求9所述的方法,其中,在步骤(c),对加密的数据和密钥流执行异或操作,以对加密的数据进行解密。11. The method of claim 9, wherein in step (c), an exclusive OR operation is performed on the encrypted data and the key stream to decrypt the encrypted data. 12.一种包括至少两个连接到总线的模块的总线系统,其中,每个模块包括模块核心和用于对模块核心与总线进行接口连接的包裹器,其中:12. A bus system comprising at least two modules connected to the bus, wherein each module comprises a module core and a wrapper for interfacing the module core with the bus, wherein: 包裹器对从模块核心生成的第一数据信号进行加密,以通过总线发送第一加密的数据信号,并且当通过总线发送所述第一加密的数据信号时,输出切换为逻辑高的第一同步信号;The wrapper encrypts a first data signal generated from the module core to send the first encrypted data signal over the bus, and when said first encrypted data signal is sent over the bus, the output switches to a first synchronous logic high Signal; 当第二数据信号通过总线被发送时,包裹器根据切换为逻辑高的第二同步信号对从总线接收的第二数据信号进行解密,并将解密的第二数据信号提供给模块核心,When the second data signal is sent through the bus, the wrapper decrypts the second data signal received from the bus according to the second synchronization signal switched to logic high, and provides the decrypted second data signal to the module core, 其中,第一同步信号被广播到至少两个需要对第一加密的数据信号进行解密的模块,第二同步信号被广播到至少两个需要对第二数据信号进行解密的模块。Wherein, the first synchronization signal is broadcast to at least two modules that need to decrypt the first encrypted data signal, and the second synchronization signal is broadcast to at least two modules that need to decrypt the second data signal. 13.如权利要求12所述的系统,其中,包裹器包括:13. The system of claim 12, wherein the wrapper comprises: 流密码发送器,当从模块核心生成第一数据信号时,从预定的密钥生成密钥流;A stream cipher transmitter, when generating the first data signal from the module core, generates a key stream from a predetermined key; 流密码接收器,当从总线接收第二数据信号时,根据第二同步信号生成密钥流。The stream cipher receiver, when receiving the second data signal from the bus, generates a key stream according to the second synchronization signal. 14.如权利要求13所述的系统,其中,从包括预定的密钥和附加信息的种子生成密钥流,所述种子共同应用于每一个模块。14. The system of claim 13, wherein the keystream is generated from a seed comprising a predetermined key and additional information, the seed being commonly applied to each module. 15.如权利要求13所述的系统,其中,包裹器还包括:15. The system of claim 13, wherein the wrapper further comprises: 第一操作单元,对密钥流和第一数据信号执行异或操作,以生成第一加密的数据信号;The first operation unit performs an XOR operation on the key stream and the first data signal to generate a first encrypted data signal; 第二操作单元,对密钥流和第二数据信号执行异或操作,以生成解密的第二数据信号。The second operation unit executes an XOR operation on the key stream and the second data signal to generate a decrypted second data signal. 16.如权利要求12所述的系统,其中,通过所述至少两个模块的多条专用线的每一条发送第一同步信号和第二同步信号。16. The system of claim 12, wherein the first synchronization signal and the second synchronization signal are transmitted through each of the plurality of dedicated lines of the at least two modules.
CN200810081777.XA 2007-05-08 2008-03-13 Methods of encrypting and decrypting data and bus system using the methods Expired - Fee Related CN101304314B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2007-0044699 2007-05-08
KR1020070044699A KR101370829B1 (en) 2007-05-08 2007-05-08 Method of encrypting and decrypting data, and Bus System using the same

Publications (2)

Publication Number Publication Date
CN101304314A CN101304314A (en) 2008-11-12
CN101304314B true CN101304314B (en) 2013-07-10

Family

ID=39969548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810081777.XA Expired - Fee Related CN101304314B (en) 2007-05-08 2008-03-13 Methods of encrypting and decrypting data and bus system using the methods

Country Status (4)

Country Link
US (1) US20080279371A1 (en)
JP (1) JP2008282004A (en)
KR (1) KR101370829B1 (en)
CN (1) CN101304314B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8719593B2 (en) * 2009-05-20 2014-05-06 Harris Corporation Secure processing device with keystream cache and related methods
CN201699877U (en) * 2010-02-05 2011-01-05 鸿富锦精密工业(深圳)有限公司 Video encryption signal detection circuit and video equipment using it
US9471373B2 (en) 2011-09-24 2016-10-18 Elwha Llc Entitlement vector for library usage in managing resource allocation and scheduling based on usage and priority
US9443085B2 (en) 2011-07-19 2016-09-13 Elwha Llc Intrusion detection using taint accumulation
US9170843B2 (en) 2011-09-24 2015-10-27 Elwha Llc Data handling apparatus adapted for scheduling operations according to resource allocation based on entitlement
US9575903B2 (en) 2011-08-04 2017-02-21 Elwha Llc Security perimeter
US9465657B2 (en) 2011-07-19 2016-10-11 Elwha Llc Entitlement vector for library usage in managing resource allocation and scheduling based on usage and priority
US8943313B2 (en) 2011-07-19 2015-01-27 Elwha Llc Fine-grained security in federated data sets
US9098608B2 (en) 2011-10-28 2015-08-04 Elwha Llc Processor configured to allocate resources using an entitlement vector
US9298918B2 (en) 2011-11-30 2016-03-29 Elwha Llc Taint injection and tracking
US9460290B2 (en) 2011-07-19 2016-10-04 Elwha Llc Conditional security response using taint vector monitoring
US9558034B2 (en) 2011-07-19 2017-01-31 Elwha Llc Entitlement vector for managing resource allocation
US9798873B2 (en) 2011-08-04 2017-10-24 Elwha Llc Processor operable to ensure code integrity
US8955111B2 (en) 2011-09-24 2015-02-10 Elwha Llc Instruction set adapted for security risk monitoring
US8813085B2 (en) 2011-07-19 2014-08-19 Elwha Llc Scheduling threads based on priority utilizing entitlement vectors, weight and usage level
CN103166753B (en) * 2013-03-26 2015-12-09 桂林电子科技大学 The lightweight stream cipher encrypting method of 4 non-linear drive
KR102218715B1 (en) * 2014-06-19 2021-02-23 삼성전자주식회사 Semiconductor device for protecting data per channel
CN105743652B (en) * 2014-12-11 2019-01-22 上海华虹集成电路有限责任公司 Data/address bus encryption method based on address exclusive or
GB202010806D0 (en) * 2020-07-14 2020-08-26 Graphcore Ltd Extended sync network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5272574A (en) * 1990-09-19 1993-12-21 Samsung Electronics Co. Ltd. Recording/playback circuit in a video tape recorder capable of recording a plurality of video signals
CN1402848A (en) * 1999-12-02 2003-03-12 因芬尼昂技术股份公司 Microprocessor arrangement having encoding function

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61108277A (en) * 1984-11-01 1986-05-26 Toshiba Corp Chargeable broadcast system
US4780905A (en) * 1984-11-26 1988-10-25 Nightwatch, Inc. Computer data encryption system
JPH09233065A (en) * 1996-02-23 1997-09-05 Sony Corp Ciphering device and ciphering method
JP4083925B2 (en) * 1999-06-24 2008-04-30 株式会社日立製作所 Information processing apparatus, card member, and information processing system
FR2801751B1 (en) * 1999-11-30 2002-01-18 St Microelectronics Sa ELECTRONIC SAFETY COMPONENT
ATE387775T1 (en) * 2000-01-21 2008-03-15 Sony Corp DATA IDENTIFICATION SYSTEM
US7131004B1 (en) * 2001-08-31 2006-10-31 Silicon Image, Inc. Method and apparatus for encrypting data transmitted over a serial link
US7046803B2 (en) * 2001-10-06 2006-05-16 Samsung Electronics Co., Ltd. Random keystream generation apparatus and method for use in an encryption system
US7242766B1 (en) * 2001-11-21 2007-07-10 Silicon Image, Inc. Method and system for encrypting and decrypting data using an external agent
JP2004023156A (en) 2002-06-12 2004-01-22 Denso Corp Encryption communication system and communication system
JP2004070499A (en) * 2002-08-02 2004-03-04 Fujitsu Ltd Memory device and encryption / decryption method
US7248696B2 (en) 2002-09-12 2007-07-24 International Business Machines Corporation Dynamic system bus encryption using improved differential transitional encoding
WO2004036560A1 (en) * 2002-10-18 2004-04-29 Matsushita Electric Industrial Co., Ltd. Information recording medium, information recording device, and information reproduction device for the same
US7702904B2 (en) * 2002-11-15 2010-04-20 Nec Corporation Key management system and multicast delivery system using the same
KR100480998B1 (en) * 2002-12-16 2005-04-07 한국전자통신연구원 Security apparatus and method for digital hardware system
US20050141716A1 (en) * 2003-09-29 2005-06-30 Prem Kumar Coherent-states based quantum data-encryption through optically-amplified WDM communication networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5272574A (en) * 1990-09-19 1993-12-21 Samsung Electronics Co. Ltd. Recording/playback circuit in a video tape recorder capable of recording a plurality of video signals
CN1402848A (en) * 1999-12-02 2003-03-12 因芬尼昂技术股份公司 Microprocessor arrangement having encoding function

Also Published As

Publication number Publication date
KR101370829B1 (en) 2014-03-10
US20080279371A1 (en) 2008-11-13
KR20080099070A (en) 2008-11-12
CN101304314A (en) 2008-11-12
JP2008282004A (en) 2008-11-20

Similar Documents

Publication Publication Date Title
CN101304314B (en) Methods of encrypting and decrypting data and bus system using the methods
US8983061B2 (en) Method and apparatus for cryptographically processing data
US7242766B1 (en) Method and system for encrypting and decrypting data using an external agent
US5345508A (en) Method and apparatus for variable-overhead cached encryption
US7336783B2 (en) Cryptographic systems and methods supporting multiple modes
EP2186250B1 (en) Method and apparatus for hardware-accelerated encryption/decryption
CN106165353B (en) Efficient routing of encrypted streams using point-to-point authentication protocol
US5444781A (en) Method and apparatus for decryption using cache storage
KR20090131696A (en) Encryption / Decryption Devices and Secure Storage Devices Containing the Same
CN111832051B (en) Symmetric encryption and decryption method and system based on FPGA
US20070180270A1 (en) Encryption/decryption device, communication controller, and electronic instrument
JP2006229863A (en) Encryption / decryption device, communication controller, and electronic device
KR100480998B1 (en) Security apparatus and method for digital hardware system
JP5377333B2 (en) Cipher data supply method, apparatus and system
CN115550692B (en) Method, device and equipment for encrypting video stream in real time
KR101375670B1 (en) Method of encrypting and decrypting data, and Bus System using the same
JP2000224158A (en) Ciphering communication system
JP2016139861A (en) ENCRYPTION DEVICE, ENCRYPTION METHOD, AND DISTRIBUTION SYSTEM
JP4277833B2 (en) Content encryption apparatus and content encryption method
KR102029550B1 (en) Design of hdcp for displayport
CN118659885A (en) IIC interface encryption device and method based on RSA algorithm
JP5100497B2 (en) Decoding device
CN119072897A (en) Encryption system and encryption method
JP2018074396A (en) Terminal device, key providing system, key providing method, and computer program
JP2007043301A (en) Encryption communication apparatus and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130710

Termination date: 20210313